From the very first call, dealing with a friendly member from the IT support team at HTL has made solving any IT issues we have an enjoyable experience.

Catherine Dowd, Office Manager, RFC Ambrian

Where should I store my data? A guide to online and offline storage and access

How service sector businesses can minimise risk and achieve regulatory compliance for data storage

Data storage continues to be a major consideration for businesses. With regulations covering diverse aspects such as retention periods and sovereignty, the question of where best to store data is multi-faceted.

Failing to retain data for the required time may bring a company into conflict with HMRC or the regulatory body for a particular sector. For professional services businesses such as legal firms this is The Law Society; for a financial sector business it is the FSA, both of which have the power to suspend the activities of a regulated firm.

Traditionally, the question of where to store data could have been more accurately framed as “on what media should I store data?” This was essentially about the relative merits of hard disk, tape or optical storage technologies such as data CD storage. However, over the last decade, the increasing development of online, cloud-based computing services and the flexibility of computing using mobile devices have changed the debate.

In this guide we discuss the options to identify the best data storage choices for businesses.

Download this White Paper

Offline or Online?

The Issues

Common to both the cloud and private business networks is the ability to share a single, centrally located data source across connected users and devices. One of the main advantages of this is to ensure that all users are accessing the latest version with the most up-to-date information. Whether it’s a spread sheet of contact data or a database file of CRM data, each user has access to the current version of the information.

The ubiquitous nature of internet connectivity and the proliferation of mobile devices mean it is possible to work
with cloud data sources and applications while on the move or in locations remote from an office or base.

The use of cloud services unauthorised by the business also present a security risk. Rogue employees, using third-party services, such as ‘gotomyPC’ and sometimes referred to as ‘shadow IT’, poses risks from business data being put in the cloud in an uncontrolled way.

Quite often, users have the ability to take the data offline - that is to create a local copy on a computing or a removable storage device such as a USB stick. Quite often the motive is to be able to work with the data without network connectivity.

However, the risks of taking data offline are well documented. The loss of computing or storage devices with highly confidential
data such as security intelligence, witness and victim evidence for legal proceedings, or plain old business IP have all been highly publicised and resulted in reputational damage.

Best advice

As a rule a good data management policy should strive to avoid data being taken offline. If it absolutely has to be taken offline, then encrypt the data on the end user device. Consider configuring the device to automatically destroy data if incorrect passwords or decryption is attempted.

Where is the server?

The Issues

Servers may be in an office server room or for a bigger business, a data centre. They may also be located at a remote location such as a head office or in a commercial third-party data centre along with thousands of others.

The question here is one of physical security. In an open plan office where a Small Business Server is tucked in a cupboard or just out in the open, data is vulnerable because there is no physical protection to prevent damage or theft. A locked server room or data centre in an office provides a minimum level of access control, but whether that is enough depends on how sensitive your data is and how much risk can be tolerated.

Best advice

For servers in office environments, a good standard of physical security is supported by 24/7 access control. It is preferable that this is monitored with verification of any physical access events provided by a suitable real-time technology like CCTV. Consider the benefits of encryption to provide another security layer should unauthorised data access take place.

A good dedicated data centre facility should have physical security standards rated to ISO27001. This means the facility has deployed physical security in line with accepted industry best practice.

Where is the data centre?

The Issues

Some businesses may use remote data centres to store server data. This could be replicating on-premise server data for the purposes of backup and Disaster Recovery (DR); or it could be the business uses a hosted desktop solution, where file data as well as virtual desktop processes are concentrated.

The use of discrete web applications for specific business processes is also likely to place company information on remote data centre servers. Whatever the specific of any service or solution, in all cases the issue is the geographical location of the data centres and which country (or countries) laws govern the data?

Data sovereignty is a barrier that has prevented some businesses from fully exploiting the benefits of cloud computing. In particular the question marks over which laws apply to data held in offshore locations have proved problematical.

The Safe Harbour agreement lets American companies use a single standard for consumer privacy and data storage in both the US and Europe. However, recent legal challenges have brought the validity of Safe Harbour into question. In particular, US registered companies storing European customer data in European facilities may have to surrender the data to the US authorities if so requested, and the European Court of Justice has ruled this is invalid and that individual EU nations should set their own rules.

Best advice

For UK companies the best policy is to use UK registered companies as service providers with information storage policies that restrict data to UK-only data centres. Private cloud solutions ensure a company’s data remains under its direct control while releasing the operational benefits of the cloud to the business.

Private clouds operated by the service provider may be multi-tenanted, with the resource shared between different businesses without compromising the data security of individual companies. While this releases some economy of scale, it cannot match the financial advantages of large shared public cloud infrastructure. As in so many other spheres, the trade-off is one of cost versus risk.